Process

unknown

attrib.exe

attrib.exe displays and changes file attributes such as hidden, system, and read-only. Administrators and scripts use it for routine file housekeeping. Attackers use it to hide their files from users and casual inspection by setting the hidden and system attributes.

CategoryUtilityTagsmicrosoft core-windows

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

attrib.exe reads and sets the basic file system attributes on files and folders: hidden (+h), system (+s), read-only (+r), and archive. The hidden and system attributes together keep a file out of normal directory listings and out of Explorer by default. The genuine binary lives at C:\Windows\System32\attrib.exe.

Legitimately, attrib is used in scripts and by administrators to set or clear attributes during file management. The attributes it sets and on what target are what give an instance meaning.

Security notes

attrib.exe is used to conceal files (T1564.001). Setting the hidden and system attributes (attrib +h +s payload.exe) keeps a dropped file out of default directory views, a simple but common way to keep tooling and staged data out of sight. The same trick on removable media hides the real files while a lure is shown, a long-standing worm behavior.

Because attrib is an ordinary file utility, the target and context are what matter. Hiding freshly written files in a user-writable directory, or doing so as part of a sequence with download and execution commands, is what separates concealment from routine housekeeping.

Anomaly signals5

Image path other than C:\Windows\System32\attrib.exehigh
+h +s applied to dropped files in Temp, AppData, or a user profilehigh
Parent is an Office application, a script host, or an unfamiliar processhigh
Hiding files on removable media (a worm-spreading pattern)med
Run alongside other staging or anti-forensics commandsmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

https://attack.mitre.org/techniques/T1564/001/

Subsearch

Edit this page on GitHub